malwarewikiaorg-20200223-history
NoobCrypt
NoobCrypt is a ransomware that runs on Microsoft Windows. It was discovered by security researcher Jakub Kroustek. It is probably aimed at users from New Zealand, because the buyback is indicated in New Zealand and US dollars. NoobCrypt gets its name from taunts found in the executable's source code. It has a few variants with 3 of them being the same except the ransom amount and key is different. There is also a NoobCrypt panel that cost 50 dollars. Payload Transmission NoobCrypt is distributed through email spam and malicious attachments, through fake updates and installers, including for Adobe Flash Player. Infection NoobCrypt uses an asymmetric encryption method to take the victim's files hostage, encrypting them and making them useless without the decryption key. It encrypts the following extensions: .3g2, .3gp, .accdb, .aif, .asf, .asx, .avi, .bmp, .cdx, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .flv, .gif, .ico, .iff, .jpeg, .jpg, .m3u, .m3u8, .m4u, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .pdb, .pdf, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ra, .raw .rtf, .sldm, .sldx, .sql, .tif, .txt, .vob, .wav, .wma, .wmv, .wpd, .xla, .xlam, .xll, .xlm, .xls,. xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw After encrypting the victim's files, NoobCrypt drops image files containing a ransom note, which instructs the victim on what has happened and how to pay the ransom. The ransom note informs the victim about the files that were encrypted and the amount and method of payment. NoobCrypt's ransom note claims that an asymmetric cryptography was used to encrypt the victim's files, meaning that a private key stored on the Command and Control servers is necessary for the decryption. To obtain this key, victims of NoobCrypt are instructed to pay $299 USD. If this ransom is not paid before 48 hours are up, NoobCrypt claims that the key will be deleted, making file recovery impossible. NoobCrypt demands that using BitCoin, an anonymous cryptocurrency, should make the payment of the ransom. NoobCrypt message also claims that some of the victim's files will be deleted every two hours, in a further attempt to scare the victim into paying as soon as possible. The ransom note states the following: Your personal files are encrypted! Coded in R0MANIA Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. You have 48 hours to pay 250 NZD in Bitcoins to get the decryption key. Every 2 hours files will be deleted. Increasing in amount every time frame. If you do not send money within provided timeframe you files will be permanently cryptic and no one will be able to recover them. In order to pay use a phone of a laptop! When a victim enters various passwords in the key field to try and decrypt their files, it would taunt them. For example, when a victim enters 123, the ransomware would display an alert that taunts them with the message "123 is not the code! You idiot. GO PAY IF U WANT UR PC BACK. NOOB HAH". Removal Each release of NoobCrypt has a specific bitcoin address and ransom amount that associated with that release. Jakub the known list of passwords each variant uses. Once the associated decryption key is identified, a vicitm needs to enter it into the Key field of the ransom screen and then click the Check button. If the key is accepted, it will display a message and decrypt the victim's files. Category:Assembly Category:Ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Win32 ransomware